My email account just sent my a handful of my friends and family members an email with a spammy link to something called "Viagrow", but I can't for the life of me figure out where the email came from, or how it happened. Is there a way to track the origin of a spam email so I can keep it from happening again?

Thanks,
Sick of Spam

Advertisement

Dear SoS,
Spam is a wonderfully curious thing. In most cases, its existence makes you wonder who it's targeting and what its goal could be. Maybe more than anything, it's an annoying surprise when a friend tells you they received spam from your email address. Let's walk through how you can track down the origin of a spam email and what you can do with the information.

Track and Block the Location of the Spammer

The first step to take is to find the sender's IP address (this is sort of like an internet phone number) by examining the header of the email. The header contains identifiers that will lead you to where the sender is located. Most email programs hide this information from you by default because most of the time, you really don't need to know everything in the header—but it's easy to find. The header is the email's history and lets your track everywhere the email went as if you're tracking a UPS package. If the email actually originated from your account, there's still a copy in your sent folder. If no copy exists on your end, have one of the people who received your message forward the email back to you. Here's how you find the header in most common email programs:

Gmail: Select the spam message. Click the down arrow next to the reply arrow. Select "Show Original."

Hotmail: Select the spam message. Click the down arrow next to to the reply arrow. Select "View message source."

Most other mail programs have a similar method as those above. Once you have the full header, look for the words "Received from" toward the top of the header. From there, you can track the email's journey through the internet. The top line is the origin of the email and it works its way all the way to your IP address at the bottom of the header. The IP address will look something like: 93.178.70.221.

Sponsored

Now we're going to figure out where that origin IP address is located. Head over to DNSStuff and enter the IP address from the top of the header into the WHOIS field.

For the above IP address, we find information that this IP is registered to someone named Vladimir Sherstnev in Russia. The search results also mention this is probably a forged IP address, which means someone used it specifically to send out a bunch of spam emails to people. In this case, it means the original location of an email was faked and poor Vladimir was probably not at fault. If you like, you can report this address to the Internet Crime Complaint Center. However, another possible origin address type exists: your own IP address.

Advertisement

Advertisement

Not long ago I received a spam email from my dad. It originated at 65.55.34.XXX, which is owned by Microsoft. This makes sense because his address is a Live email account. In this case, it means his account was either hacked or spoofed. Hacked means someone got his password and went on a junk-emailing spree. Spoofed means someone is pretending to be him (or you). So, what do we do now? We see which of those two happened.

Check Your Account Activity and Research Your Email Access History

To check if your account has been hacked you need to look into the recent history on your account. This is going to vary by email provider but here's how to do it in two of the big ones:

Gmail: At the bottom of your inbox, click Details. This will open a pop-up window with the recent IP addresses that have accessed your account (your current IP is listed on the bottom).

As far as I can tell, you can't get this information in Hotmail. If you're on a private server, most webmail apps show your access history somewhere in the preferences panel.

If you see an IP Address that isn't one of yours, (don't forget you can search Google for "IP" to get your current address) then your account and password were probably hacked. Change your password and continue monitoring the logins to your account over the next few days. As sunilsathees notes in the comments, you should also check your password recovery options to make sure nothing was changed. If the hacker changes the recovery email to their own they can still access your account even after you change the password. You can find these in the Preferences section for most email providers.

Need to get your network's external IP address on the quick—say for a quick round of port…
Read more Read more

You have a few ways to check if your account is being spoofed. First, do the same search as above to make sure nobody is in your account. Next, check your forwarding options. Make sure your email isn't set to forward anywhere you didn't set it to. It's also a good idea to run an antivirus scan on your computer. You can find our picks for Windows and Mac if you don't have one. If you're using Gmail, look at your authorized sites to ensure no apps have access to your account that aren't supposed to.

Windows has more antivirus programs than we can count, and none of them are quite perfect. Right…
Read more Read more

Finally, retrace your steps. Did you click on a phishing link or reply to spam mail? If you did, find that email again. Look at the complete header and track the information the same way you did above. This doesn't solve the problem, but it does give a face (or an IP address at least) to the culprit. If its particularly irksome or continues to happen, report the address to your email provider and have them investigate the address.